Lovable and Vercel incidents, GitHub RCE, EDR vs. AI agents, Mini Shai Halud by Team PCP

GitHub popped by malicious VS code extension, npm staged publishing debuts

This week Jenn and Paul cover: * npm Staged Publishing: npm's new feature adds a human approval checkpoint before a package goes live. Real improvement, real caveats. We walk through what it does, where it falls short, and the questions the docs still don't answer. * DPRK Axios-Linked npm Packages: Paul discovered three malicious npm packages tied to the March Axios attacker that have been quietly harvesting credentials since early April. Classic DPRK multi-use attack infrastructure, built to support Contagious Interview and TaskJacker campaigns running in parallel. * TeamPCP's Biggest Maintainer Compromise Yet: Two npm maintainers compromised. One developer maintained over 540 packages. TeamPCP published over 600 malicious versions. Three of the affected packages alone account for more than 5 million weekly downloads. * GitHub Employee Device Compromised via Poisoned VS Code Extension: A malicious Nx Console extension published May 18th made it to a GitHub employee's device, exposing an estimated 3,800 repositories. The credential theft happened seven days earlier through the TanStack compromise. We also cover the CISA "private" repository that was not private, and what both incidents say about secrets management and GitHub permissions defaults. Episode Resources: * npm Staged Publishing documentation [https://docs.npmjs.com/staged-publishing] * Axios attacker strikes again: Three npm packages hiding in plain sight for two months [https://opensourcemalware.com/blog/axios-attacker-additional-npm-packages] * TeamPCP compromises npm maintainer with over 540 packages [https://opensourcemalware.com/blog/teampcp-compromises-npm-maintainer-with-over-540-packages] * OpenSourceMalware threat report: nrwl.angular-console (Nx Console) [https://opensourcemalware.com/vscode/nrwl.angular-console] * Nx Console v18.95.0 postmortem [https://nx.dev/blog/nx-console-v18-95-0-postmortem]

RubyGems bot attack, ShinyHunters ransom Canvas, and the latest on Mini Shai Hulud

Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty for episode four! In this episode: * RubyGems bot attack: Hundreds of bots pushed 500-plus packages to RubyGems, some carrying exploits, forcing the registry to shut down new account signups. Jenn and Paul break down why the DDoS label may be misleading and what this exposes about the friction-vs-safety tradeoff every open source registry faces. * Canvas ransomware by ShinyHunters: ShinyHunters breached Instructure, the company behind the Canvas LMS used by over 30 million students globally, stealing 3.65TB of data including private messages between students and teachers. Instructure said almost nothing publicly for days. Jenn and Paul discuss the data sensitivity risks for minors and close with breaking news: Instructure paid the ransom. * Mini Shai Hulud and TanStack: Team PCP is not connected to the original 2025 Shai Hulud campaign. Paul explains how they used Adnan Khan's GitHub Actions cache poisoning technique to compromise TanStack and 90-plus packages without long-lived credentials, why attestation and trusted publishing didn't stop it, what the CIS country geofencing in the payload actually signals, how malware is now targeting .claude directories on developer machines, why novel malware still dominates the OpenSourceMalware database by volume, and why open sourcing their worm and doing press interviews is likely to hasten Team PCP's capture. Episode Resources: * RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded [https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html] * RubyGems status page [https://status.rubygems.org/incidents/cytf062tkwtt] * OpenSourceMalware RubyGems threat records [https://opensourcemalware.com/?type=package&ecosystem=rubygems] * OpenSourceMalware Mini Shai-Hulud threat records [https://opensourcemalware.com/?search=%23mini-shai-hulud] * Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak [https://thehackernews.com/2026/05/instructure-reaches-ransom-agreement.html] * blog: Mini Shai-Hulud Borrowed Its Best Trick From PolinRider [https://opensourcemalware.com/blog/mini-shai-hulud] * blog: TeamPCP Compromises MistralAI and OpenSearch [https://opensourcemalware.com/blog/teampcp-mistralai-opensearch-compromised] * TanStack npm supply-chain compromise postmortem [https://tanstack.com/blog/npm-supply-chain-compromise-postmortem] * The Monsters in Your Build Cache - GitHub Actions Cache Poisoning [https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/] * TeamPCP interview [https://buymeacoffee.com/insidedarknet/teampcp-interview]

Git hook persistence, Antrea compromise, Dirty Frag, cPanel exploitation, interpreted language malware

Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty for episode three, covering the latest threat activity and a deep dive they've been promising since episode one. In this episode: * DPRK Lazarus Group using git hooks: Paul's latest research shows the Contagious Interview / TaskJacker campaign has evolved. The initial loader is still the VS Code task.json file, but it now calls concatenated Git commands that drop malware via pre-commit and post-checkout git hooks, hiding the payload URL from the place researchers have been looking. Post-checkout is particularly clever: it fires every time a developer checks out a branch, and most people never think to audit it. * Antrea Kubernetes project compromise: The Antrea project, a popular Kubernetes CNI dependency, was compromised but so far no malware has been dropped into it. Paul has been tracking the threat actor and reached out proactively to the maintainers. The source of compromise is contested (we have evidence it was through the March Trivy compromise), but the core takeaway stands: threat actors don't always act immediately on stolen credentials. Assume credentials are burned and rotate aggressively. * Dirty Frag Linux local privilege escalation: Dirty Frag is a new vulnerability class discovered and reported by Hyunwoo Kim (@v4bel) that chains two page-cache write vulnerabilities (the xfrm-ESP bug and the RxRPC bug) to obtain root privileges on major Linux distributions. It extends the same bug class as Dirty Pipe and Copy Fail. Because it is a deterministic logic bug rather than a race condition, it doesn’t require precise timing, does not panic the kernel on failure, and has a very high success rate. The embargo broke before a patch or CVE existed. It is already public. * cPanel actively exploited at scale: A critical actively exploited vulnerability in cPanel is hitting organizations below the security poverty line hardest. The infosec press has been quiet, but incident responders are getting hammered. Every geolocation, every crew. If you're doing IR right now, you're not alone. * Deep dive on interpreted language malware vs. compiled malware: Most malicious open source packages are written in JavaScript or Python, and that is not an accident. Jenn and Paul walk through why: no compilation step means the attack artifact ships with variable names and structural intent intact, post-install scripts enable auto-execution at install time, and sandboxes consistently fail against interpreted language malware for structural reasons. They also cover where static analysis fits in and why purpose-built engines outperform LLM-heavy pipelines for this problem. Episode Resources: * DPRK abusing git hooks [https://opensourcemalware.com/blog/dprk-git-hooks-malware] * Antrea project compromise [https://opensourcemalware.com/blog/antrea-compromise2] * Dirty Frag [https://github.com/V4bel/dirtyfrag ]

Lovable and Vercel incidents, GitHub RCE, EDR vs. AI agents, Mini Shai Halud by Team PCP

Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty as they cover a week that had defenders everywhere ready to call it on 2026. In this episode, we cover four topics: * Lovable and Vercel incident response failures: Two AI-native platforms had significant security incidents in recent weeks, and both initially responded by minimizing the severity. We break down why Lovable's regression exposed source code and full chat history to any free account holder (the mother of all IDORs), why Vercel's response left paying customers without a single actionable mitigation step, and what good incident response communication actually looks like. * GitHub RCE via git push: A remote code execution vulnerability sitting in GitHub's codebase for over a decade allowed arbitrary code to be passed and executed via the -o option on a git push. We discuss why this happened, why it is not entirely surprising given Git's design history, and what it means for the ecosystem. * EDR vs. AI coding agents: Paul's EDR flagged his own development environment as infected while he was refactoring a library with Claude. We unpack why AI agents operating at non-human speed trigger the same behavioral signatures as ransomware, and why this is going to become a bigger problem as agentic coding workflows become the norm. * Mini Shai Halud by Team PCP: Team PCP's latest campaign compromised the Lightning Python package (15 million downloads per week) and the Intercom npm client (370,000 downloads per week), among others. We cover what makes this campaign notable: Team PCP has adopted the VS Code tasks file persistence technique previously seen only in DPRK-linked campaigns like TasksJacker and Pollen Rider. We also discuss what over 2,000 exfiltration repositories on GitHub mean for affected developers and organizations, and what you should be doing right now if you are worried you are affected. Episode Resources: AI Full-Stack Development: The Anti-Patterns Rise Against Us - Part 1 [https://opensourcemalware.com/blog/rise-ai-anti-patterns]Our research on some security anti-patterns we discovered when auditing how AI tools write code Mini Shai-Hulud Borrowed Its Best Trick From PolinRider [https://opensourcemalware.com/blog/mini-shai-hulud]An analysis of the TeamPCP campaign “mini Shai Hulud, including details on the trick they borrowed from North Korean campaigns like PolinRider and Contagious Interview Renovate & Dependabot: The New Malware Delivery System [https://blog.gitguardian.com/renovate-dependabot-the-new-malware-delivery-system/]A GitGuardian blog about the way these tools can accidentally auto-install malware

Bitwarden CLI compromise, npm lifecycle scripts, OWASP cheat sheet, cross-ecosystem attacks

Welcome to the very first episode of The OpenSourceMalware Show! Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty as they break down the latest news, threats, and best practices in the open-source ecosystem.  In this episode, we dive into four major topics: * Bitwarden CLI Compromise: We analyze the recently discovered malicious version (2026.4.0) of the Bitwarden CLI package. We break down how this cloud-native infostealer silently executes via pre-install scripts to harvest credentials across AWS, Azure, GCP, and GitHub, as well as hoovering up AI config files like Claude. We also discuss its exfiltration tactics to a lookalike domain and explain why we are skeptical of the threat actor's claims that this is the "third coming of Shai-Hulud". * The Danger of npm Lifecycle Scripts: Why are pre-install and post-install scripts such a popular attack path? We discuss how threat actors exploit these convenience features to auto-install malware. We also explore the differences between package managers, noting that while these scripts are off by default in tools like pnpm and bun, they remain on by default in npm. * OWASP's npm Security Cheat Sheet: We review a 12-point cheat sheet from OWASP covering npm security best practices. We share our thoughts on artifact governance, the realities of responsible disclosure, and why falling for dependency confusion or typo squatting attacks relies more on machine automation than just "dummy" human errors.  * GenAI and Cross-Ecosystem Attacks: We wrap up with an alarming new trend we observed just this week: threat actors using Generative AI (like Claude) to rapidly translate working malware into different programming languages. This enabled them to deploy malicious packages across multiple ecosystems to target users of a specific company within a coordinated 8-hour window. Resources: * bitwarden/cli threat report [https://opensourcemalware.com/npm/@bitwarden/cli] * NPM security cheat sheet from OWASP [https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html] * Get started [https://opensourcemalware.com/] with OpenSourceMalware for free